Towards proactive security

Page Tools

It was Thursday, September 16, 1996, around 10am when the first
news stories broke announcing that the Central Intelligence Agency
had been hacked. News reporters scrambled to get further details on
the story and write their own reports on the "compromise of the
Central Intelligence Agency computer systems". As people tuned in
for their morning news shows they learned of this devastating
computer intrusion into the top US spy agency. The break-in
furthered the growing hacker hysteria.

The reality of the situation was eventually set straight by a
few knowledgeable security enthusiasts and hackers who began
attempting to educate reporters that the break-in "at the CIA" was
not equivalent to someone having access to classified information,
or computers that were housed within CIA buildings. Instead, the
people who broke into the CIA had simply defaced the
internet-facing website of the CIA. As reporters began to
understand that the CIA had not been compromised to the level of
their imaginations, they began to release updated news stories
attempting to educate the public on the differences between being
digitally compromised and having a website defaced.

This is but one of many examples of how people presently think
about hacking and security very different compared to the past.
Today, security topics such as hacking have broken completely into
the mainstream - from the countless movies that feature hacking, to
Paris Hilton's recent appearance on the Tonight Show talking about
"hackers breaking codes" to hack
into her T-Mobile account.

The increased exposure to security topics has no doubt travelled
through the minds of even those who are not the most computer
savvy. Businesses have also become vastly more knowledgeable in
their understanding of security compared to years past. Yet, with
all of this focus on security, it seems in many cases that we are
taking two steps back while the bad guys are taking a giant leap
forward.

To businesses, security is still not equal to paying your electric bill. It is a nuisance, a distraction, a resource drain, and it is expensive.

Five years ago most computer intrusions were benign in nature.
They were typically performed by people motivated to perform a
digital prank or make a statement, as was the case with the CIA
hack. Most corporate break-ins were typically someone altering a
company's website to show amusing graphics or to put up a political
message. Many website defacements were also done by teenagers who
just wanted the satisfaction of knowing they could do it - the
thrill of the hack. But not all hacks were simple pranks.

Phishing is one of the most widely used terms today in computer
security, and its roots really started years ago on computer
network services like AOL, Prodigy, and Compuserve. Phishing
started off as mostly a one-to-one social engineering scheme. The
first real criminal uses of phishing attacks were actually on AOL.
Attackers pretended to be AOL employees and attempted to trick (via
electronic chat) AOL customers into giving up their passwords and
account information. These attackers would then use this account
information in order to use AOL services free or to sell the
accounts to other people. Once people began to realise how easy it
was to falsify trust on a computer they started to elevate the
attacks to go beyond tricking people out of their account
information and instead started to get people to provide their
credit card and social security information. Attackers then began
using this information to order merchandise that they could either
use themselves or that they could resell to people for money.

Eventually attackers found easier ways to perform phishing scams
by using backdoor programs, or trojan horses. A trojan horse is
software that can be installed on a victim's computer to give an
attacker full access to everything on the computer. This meant easy
access to any account information, credit card data, etc. But even
when attackers started to realise they could make a little money by
performing illegal computer activities, the average attacker was
still more driven to make a statement or get media recognition. One
of the more popular ways of achieving this goal, then and now, was
by writing a computer virus.

Computer viruses have been around longer than most any type of
computer threat, and also have been one of the most popular ways
for hackers to make a name for themselves due to the large amount
of press coverage that an effective virus can get. A virus can
garner recognition far beyond any website defacement. But viruses
had to run their course of popularity and give way to the ultimate
"prank", and potentially the most devastating attack: the computer
worm.

Unlike a virus that requires a user at a computer to be tricked
into running a "bad" program, worms can simply replicate from one
computer to another without any human intervention. While computer
worms sound a lot more advanced than viruses, they are not a new
phenomenon. In fact, one of the earliest computer worms was
discovered over 17 years ago in 1988. This first known computer
worm was written by the son of a scientist who was employed by the
secretive US spy agency, the National Security Agency. That worm
eventually became known as the Morris Worm, named after its
author.

Worms have been around for a while but nothing made the public
so aware of the power of a computer worm more than the introduction
of the CodeRed worm in 2001. Since then, computer worms have been
one of the biggest driving factors behind increased computer
security. Software vendors were given a wake-up call to build more
secure software, and businesses also realised they needed to do
more to secure their organisations because worm attacks resulted in
large losses of revenue.

Worms affected the computer security world so intensely that
people seemed to forget that threats did exist beyond the computer
worm. As more worms like Sapphire/Slammer, Blaster and Sasser were
discovered and reported on by the media it seemed as though
organisations built all of their security processes almost entirely
around worms. But what happened to websites being compromised?
Backdoors/trojans? Phishing attacks? And targeted computer
intrusions? Had the bad guys really forgotten about all of these
possibilities and simply retired to write computer worms? As our
security consciousness began to awaken we realised that the "bad
guys" had not forgotten, we had.

The security industry became so fixated on large-scale attacks
such as computer worms that many people forgot about the basics of
security and the threats we face. Even companies such as Microsoft
woke up one day to find themselves surrounded by spyware and
phishing problems for which they could offer their customers no
solutions. Microsoft, like most of the industry, is quickly trying
to react to these "new threats" which seem to have popped up
overnight. Other industry giants like Symantec and McAfee have also
been blindsided by their complacency. A new hundred-plus
million-dollar spyware industry has cropped up almost overnight. Is
spyware really even a new threat? Have we not been paying attention
to the age-old basic security threats?

The anti-spyware business is one of the greatest scams to ever
happen within the security industry. Most spyware attacks have the
same properties of older threats such as viruses and trojans, and
the fact of the matter is that anti-virus engines are the
technology best suited to detect and eradicate spyware. But why
should the anti-virus vendors tell you, the consumer, that their
anti-virus engines can detect and block spyware when they can sell
you a completely separate spyware solution for another $US30
($A39.67) per desktop in addition to the $US30 you probably already
are paying for anti-virus software? It is clear that spyware is no
different, from a detection perspective, than the viruses and
trojans of years past, but one thing has changed; the people behind
these newly "rediscovered" threats are no longer kids motivated by
pranks and media recognition.

In the last two years the type of people behind the threats
which businesses and consumers are facing are dramatically
different. While there are still the handful of young attackers
looking to make names for themselves and have a little "fun", the
overwhelmingly more common attacker is someone who is motivated
purely by money. Look no further than threats like phishing and
spyware for evidence of this.

Phishing has grown from a one-on-one social engineering scam to
a globally coordinated criminal business that yields even the
smallest of phishing groups millions of dollars. With the merging
of real-life and cyber criminals there is a very real threat to
financial institutions and businesses. Phishing attacks can now be
coordinated scams to steal hundreds of thousands of credit card
numbers and identities, which can be used by criminal enterprises
to turn information into real-world currency. This is all made even
easier by coupling the resources of organised crime; for example
the ability to set up fake businesses and merchant accounts in
order to process large quantities of stolen credit card
information. Bad guys have realised that if you are able to hack
into a website to be able to deface it you can probably make a lot
of money off of the data stored on that website. You can see at
least a few examples after a month of companies being broken
into and having their customer databases stolen.
These databases are just information but this information is now a
commodity that can be bought and sold to the highest bidder for
real-world currency.

While the financial losses due to phishing attacks may be more
tangible than the effects of website defacement, are the attacks
themselves really that much different? Unfortunately, the answer is
no. So why is it still happening?

Through it all, people have remained reactive: software vendors,
security companies, consumers, and businesses. For as much as
security is a hot topic of discussion, it is still not a core focus
for many organisations. It is a top priority and yet the first
thing to take a backseat to other projects. We never progress with
anticipation, we digress with adaptation.

Software authors still treat security as more of a public
relations problem than something in which they truly have to invest
and why should they treat it any other way? Businesses and
consumers continue to buy insecure software without demanding
better. Some software vendors such as Microsoft have made a visible
effort to improve the security of their software, but at the same
time they have doubled their efforts to improve the PR processes to
create a sense of security beyond the true efforts they are setting
forward.

Security is obviously a focus for security software and service
companies, but the reality of the situation is that most of the
large security companies are happy providing reactive security
solutions to businesses and consumers because reactive solutions
sell well. They also constantly need signature updates, which means
a steady revenue stream for them, at your expense. Few security
companies have truly challenged their engineers to create solutions
that protect from the core of security problems, and the few
companies that have are quickly acquired by the much larger
security companies and the innovation dies out.

To businesses, security is still not equal to paying your
electric bill. It is a nuisance, a distraction, a resource drain,
and it is expensive. However, when that worm hits, when that hacker
attacks, then blame is quick to be assigned. What most
organisations do not yet understand is that improving security is
not all about buying the latest and greatest products. It is about
changing the corporate culture to make security a realistic
priority, and to understand that the upfront investment in security
resources and processes will be far less costly than the
reactionary efforts after an attack.

We truly have started to reach the climax of a time when
information is power. Technology pioneers have always sought the
holy grail of information at your fingertips and ubiquitous
computing. The one thing that none of these pioneers thought of at
the time is the fact that ubiquitous computing really means
ubiquitous information. Our lives and businesses are constantly
becoming more digital, and that only makes it easier for criminals
to further capitalise on the insecurities within software and
systems. As things progress the effects of a successful technology
hack will grow exponentially more severe. With this exponential
increase in the criticality of threats there has never been a time
that requires innovation and proactive security solutions more than
now.

Proactive security is the only way we will begin to attain
trusted computing and take back technology from criminals. The idea
of being proactive with security is not something mythical by any
means. It starts with attacking the root of the problems we face.
The core characteristics of attacks have not changed. Classes of
attacks such as buffer overflows have not changed much in twenty
years. Nor have other application-layer attacks such as those that
affect protocols like HTTP. Security technologies have advanced and
will continue to be developed to prevent general classes of attack;
but proactive security is not just about advanced security
technologies that can generically prevent classes of attacks. We
must be proactive on all fronts.

Businesses and consumers need to think proactively about how to
protect their systems in the long run. They need to design
processes that review security on a regular basis, not just in
reaction to attacks. They also need to demand better from software
manufactures and force vendors to create more secure software by
not continuing to purchase knowingly vulnerable software. Software
vendors also need to play their part in being proactive about
security by investing in proper security planning before
development efforts begin.

Some would say the future of security is doom and gloom, but in
reality I think the light at the end of this tunnel has never been
brighter. Through all security discussion there is one theme that
binds everything together: vulnerabilities. As I have watched
hacking and security change over the years the only thing that has
remained constant are the vulnerabilities and the characteristics
that shape vulnerabilities. If security vendors and consumers
believe in this, then we will reach a point where we can finally
say "vulnerability is over".

P.S. On a personal note vulnerabilities have been my life's
passion and with that the core focus of eEye and the products we
create. For those that have followed us over the years you have
probably seen the numerous highly critical vulnerabilities we have
discovered, and the worms we have researched, from CodeRed and
beyond. Through the years of vulnerability research we have finally
built a product that we hope can help solve the problems businesses
face, and at the same time challenge people to bring innovation
back to the security industry. And with that I would like to
announce: Blink - eEye's
Host Based Security Solution.

Marc Maiffret is a well-known security researcher and chief
hacking officer of eEye Digital
Security. This article was first published in the company's
newsletter and is reproduced with permission. Copyright rests with
the author.